CACKey
Check-in [74d7607e3c]
Login
HomeDownloadsSource CodeWiki
Overview
Comment:Fixed issue with NULL tags found with AFL fuzzing
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:74d7607e3c424610f674dd55ccecfc73aca21985
User & Date: rkeene on 2015-07-24 15:10:49
Other Links: manifest | tags
Context
2015-07-24
15:11
Better cleanup now that we exclude some bytes in debug printing buffer check-in: 75b2699549 user: rkeene tags: trunk
15:10
Fixed issue with NULL tags found with AFL fuzzing check-in: 74d7607e3c user: rkeene tags: trunk
04:11
Further failure to free on error repaired and start of AFL testing code added. check-in: 8299a1c4f7 user: rkeene tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified asn1-x509.c from [f9aa197383] to [6a950ab433]. 

    66     66   	}
    67     67   
    68     68   	buf_p = buf;
    69     69   
    70     70   	outbuf->tag = *buf_p;
    71     71   	buf_p++;
    72     72   	buflen--;
    73         -	if (buflen == 0) {
    74         -		return(-1);
    75         -	}
    76     73   
    77     74   	/* NULL Tag -- no size is required */
    78     75   	if (outbuf->tag == 0x00) {
           76  +		outbuf->size = 0;
           77  +		outbuf->asn1rep_len = 1;
           78  +		outbuf->asn1rep = buf;
           79  +
    79     80   		return(_asn1_x509_read_asn1_object(buf_p, buflen, args));
    80     81   	}
           82  +
           83  +	if (buflen == 0) {
           84  +		return(-1);
           85  +	}
    81     86   
    82     87   	small_object_size = *buf_p;
    83     88   	buf_p++;
    84     89   	buflen--;
    85     90   	if (buflen == 0) {
    86     91   		return(-1);
    87     92   	}
................................................................................
    91     96   
    92     97   		for (small_object_size ^= 0x80; small_object_size; small_object_size--) {
    93     98   			outbuf->size <<= 8;
    94     99   			outbuf->size += *buf_p;
    95    100   
    96    101   			buf_p++;
    97    102   			buflen--;
          103  +
    98    104   			if (buflen == 0) {
    99    105   				break;
   100    106   			}
   101    107   		}
   102    108   	} else {
   103    109   		outbuf->size = small_object_size;
   104    110   	}
   105    111   
   106    112   	if (outbuf->size > buflen) {
   107    113   		return(-1);
   108    114   	}
   109    115   
   110         -	outbuf->contents = buf_p;
          116  +	if (buflen != 0) {
          117  +		outbuf->contents = buf_p;
          118  +	}
          119  +
   111    120   	outbuf->asn1rep_len = outbuf->size + (buf_p - buf);
   112    121   	outbuf->asn1rep = buf;
   113    122   
   114    123   	buf_p += outbuf->size;
   115    124   	buflen -= outbuf->size;
   116    125   
   117    126   	return(_asn1_x509_read_asn1_object(buf_p, buflen, args));

Powered by Fossil · RSS